Napoca Bare Metal Hypervisor
Monthly
Out-of-bounds write in the Bitdefender Napoca bare-metal hypervisor allows a low-privileged guest to corrupt hypervisor heap memory via crafted SS:SP register values processed by the real-mode hook handler. The flaw, tracked as EUVD-2026-33944 and reported by Bitdefender itself, affects an end-of-life product with no public exploit identified at time of analysis. Successful exploitation breaks the guest-to-hypervisor boundary, yielding total compromise of confidentiality, integrity, and availability of the host hypervisor.
Out-of-bounds heap write in the Bitdefender Napoca bare-metal hypervisor lets a malicious guest VM operating in real mode corrupt hypervisor memory through a crafted INT 0x15/E820 BIOS call, potentially enabling guest-to-host escape. The flaw resides in napoca/guests/bios_handlers.c, which computes a write offset from attacker-controlled ES:EDI register values without bounds checking against the 1MB RealModeMemory buffer. No public exploit identified at time of analysis, and CISA SSVC classifies exploitation status as 'none' - but the product is end-of-life and unsupported, raising the long-term risk profile.
Out-of-bounds write in the Bitdefender Napoca bare-metal hypervisor allows a low-privileged guest to corrupt hypervisor heap memory via crafted SS:SP register values processed by the real-mode hook handler. The flaw, tracked as EUVD-2026-33944 and reported by Bitdefender itself, affects an end-of-life product with no public exploit identified at time of analysis. Successful exploitation breaks the guest-to-hypervisor boundary, yielding total compromise of confidentiality, integrity, and availability of the host hypervisor.
Out-of-bounds heap write in the Bitdefender Napoca bare-metal hypervisor lets a malicious guest VM operating in real mode corrupt hypervisor memory through a crafted INT 0x15/E820 BIOS call, potentially enabling guest-to-host escape. The flaw resides in napoca/guests/bios_handlers.c, which computes a write offset from attacker-controlled ES:EDI register values without bounds checking against the 1MB RealModeMemory buffer. No public exploit identified at time of analysis, and CISA SSVC classifies exploitation status as 'none' - but the product is end-of-life and unsupported, raising the long-term risk profile.